BC Plans – Fit for Purpose?

In a survey about the experience of handling major losses undertaken Vericlaim and Alarm, more than half of respondents “rated the practical assistance offered by a BCP (Business Continuity Plan) following a major incident as one or two out of a possible score of five”. In other words, the BC Plans of the organisations responding to the survey were found to not particularly helpful when responding to a major loss!

This finding seems to have been rather under reported by the BC community who are usually so forward in explaining the importance of having a BC Plan and extolling the virtues of BC in improving resilience. Personally, I find it a damning indictment of the BC profession.

One of the things that constantly both amuses and horrifies me is how far most BC Plans are from the description given in the Business Continuity Institute’s (BCI’s) Good Practice Guidelines. This states that a BC Plan should be “…focused, specific and easy to use…”, and that the important characteristics for an effective BC Plan are that is direct, adaptable, concise, and relevant.

Over the years I have had the pleasure of see hundreds, if not thousands of BC Plans from a wide variety of organisations, and I can safely say that more than 90% of these plans do not fit in with this description. They tend to contain lots of information that is irrelevant to the purpose of responding to a major incident and seem to be written more for the benefit of the organisation’s auditors than for use by people who need to take action to reduce the impact of the incident on the organisation.

As a BC consultant, I keep trying my best to improve BC Plans, but I’m constantly being knocked back by people who tell me that all sorts of things need to be put into their BC Plans, more often than not because of an audit or review undertaken by a third party.

For far too long this situation has been allowed to continue unchallenged. It cannot do so for too much longer without the BC profession losing credibility.

 

 

Business Continuity – Documenting Events

I don’t think that anyone is going to object to the recommendation that organisations need to document disruptive events so that there is a clear record of what happened and how the organisation handled it. But what if I was to recommend to you that your organisations should document events that haven’t happened?

Sounds crazy? Yes, I agree, but this is the recommendation contained in a book that I’m currently reading on ISO 22301 and Business Continuity. Unfortunately, the book doesn’t elaborate on how this is to be done in terms of which events to include and how much detail should be recorded. Both of these need to be defined if the recommendation is to be followed, otherwise it is a rather pointless recommendation.

If you decide to include every event that might happen then you’ll spend the rest of your life listing them and still not have covered them all. And once you’ve decided on a finite list, do you then go into detail about what the different responses might have been and what might have been the result of each response? In other words, write a novel about each event that hasn’t yet happened?

After a short period of reflection, I’ve decided that this is not a good idea. Is there anyone out there who thinks it is?